Messageyeah, I remember his post on this issue,
his email attached.
Thanks,
Vasiliy Boulytchev
Colorado Information Technologies Inc.
----- Original Message -----
From: Joe Patterson
To: Vasiliy Boulytchev
Sent: Friday, May 10, 2002 7:48 PM
Subject: RE: [Users] /var/log/secure FFFFIIIIXXXXEEEEEDDDDD
You just make a list somewhere. It's not the most elegant thing in the world, but basically there is somwhere in the config for sentinel where you put in your virtual IP, and that has to match the subnet= line in your connection profile on the freeswan box. The elegant way would be for freeswan to send an ip address to the client. But freeswan can't do this yet. I understand that Andreas knows someone who is working on it, but it isn't here yet.
-Joe
-----Original Message-----
From: Vasiliy Boulytchev [mailto:vasiliy_at_boulytcheva.com]
Sent: Friday, May 10, 2002 9:42 PM
To: Joe Patterson
Subject: Re: [Users] /var/log/secure FFFFIIIIXXXXEEEEEDDDDD
How do you give out virtual ips?
Vasiliy Boulytchev
Colorado Information Technologies Inc.
----- Original Message -----
From: Joe Patterson
To: Vasiliy Boulytchev
Sent: Friday, May 10, 2002 7:13 PM
Subject: RE: [Users] /var/log/secure FFFFIIIIXXXXEEEEEDDDDD
It's a problem... There are a few possible solutions. One is to make an incredibly obnoxious config file with one entry for every possible address that he could get. That's what James was talking about. That's an ugly hack, but, as far as I know, functional.
The other solution (which I haven't tried yet, but which should work) involves ssh sentinel. With sentinel, you can specify a "virtual" ip address for the ipsec client. Then whenever you hand out certificates, hand out an ip address for the sentinel configuration with it, and make a connection definition with cert={the cert you gave} and subnet={the ip address you gave}/32. That *should* work, and has the extra added benefit of allowing you to know what ip corresponds with what user (for logging and access control on your internal servers, for example) One downside to this is that sentinel isn't free. The bigger downside is that sentinel isn't released and being sold yet.
It is concievable that you could do something similar in stock win2k, by adding an additional address to the adapter that is dhcp'ing, and putting that in the subnet definition with the vpn.ebootis.de tool. But I would bet that it wouldn't work.
-Joe
-----Original Message-----
From: Vasiliy Boulytchev [mailto:vasiliy_at_boulytcheva.com]
Sent: Friday, May 10, 2002 8:33 PM
To: Joe Patterson
Subject: Re: [Users] /var/log/secure FFFFIIIIXXXXEEEEEDDDDD
Joe,
If I have this guy get his ip DHCPed from his whatever. How would I define that in my ipsec.conf file?
Vasiliy Boulytchev
Colorado Information Technologies Inc.
----- Original Message -----
From: Joe Patterson
To: James Carroll
Cc: users_at_lists.freeswan.org
Sent: Friday, May 10, 2002 2:46 PM
Subject: RE: [Users] /var/log/secure FFFFIIIIXXXXEEEEEDDDDD
I think you meant something more like rightsubnet=192.168.2.23/32..... /33 or longer netmasks are very rare. :)
-----Original Message-----
From: users-admin_at_lists.freeswan.org [mailto:users-admin_at_lists.freeswan.org]On Behalf Of James Carroll
Sent: Friday, May 10, 2002 9:42 AM
To: Vasiliy Boulytchev
Cc: users_at_lists.freeswan.org
Subject: RE: [Users] /var/log/secure FFFFIIIIXXXXEEEEEDDDDD
You ask, "What if the guy comes home and he gets a DHCP address? Has Anyone had the same problem?"
I recently realized there's an ugly, but otherwise perfect solution, duplicating the block for every IP address that the client computer could have on their subnet. I've never need more than three duplicates:
conn plubbers2
right=%any
rightsubnet=192.168.2.22/32
leftsubnet=10.0.0.0/24
rightcert=plubbers.coinfotech.com.pem
leftcert=bluespruce.coinfotech.com.pem
conn plubbers3
right=%any
rightsubnet=192.168.2.22/33
leftsubnet=10.0.0.0/24
rightcert=plubbers.coinfotech.com.pem
leftcert=bluespruce.coinfotech.com.pem
conn plubbers4
right=%any
rightsubnet=192.168.2.22/34
leftsubnet=10.0.0.0/24
rightcert=plubbers.coinfotech.com.pem
leftcert=bluespruce.coinfotech.com.pem
conn plubbers5
right=%any
rightsubnet=192.168.2.22/35
leftsubnet=10.0.0.0/24
rightcert=plubbers.coinfotech.com.pem
leftcert=bluespruce.coinfotech.com.pem
-Jim
-----Original Message-----
From: Vasiliy Boulytchev [mailto:vasiliy_at_boulytcheva.com]
Sent: Thursday, May 09, 2002 10:57 PM
To: Vasiliy Boulytchev
Cc: users_at_lists.freeswan.org
Subject: Re: [Users] /var/log/secure FFFFIIIIXXXXEEEEEDDDDD
THIS FIXED THE PROBLEM!!!! Why do I have to route like this? What if the guy comes home and he gets a DHCP address?
Has Anyone had the same problem?
conn plubbers2
right=%any
rightsubnet=192.168.2.22/32
leftsubnet=10.0.0.0/24
rightcert=plubbers.coinfotech.com.pem
leftcert=bluespruce.coinfotech.com.pem
Vasiliy Boulytchev
Colorado Information Technologies Inc.
----- Original Message -----
From: Vasiliy Boulytchev
To: users_at_lists.freeswan.org
Sent: Thursday, May 09, 2002 8:08 PM
Subject: [Users] /var/log/secure
Guys, what does this mean?
May 9 20:07:19 bluespruce Pluto[23123]: "plubbers2" 63.230.76.61 #7: cannot respond to IPsec SA request because no connection is known for 10.0.0.0/24===209.12.32.66[C=US, ST=Colorado, L=Colorado Springs, O=Colorado Information Technologies, Inc., OU=ISP, CN=BlueSpruce, E=admin_at_bluespruce.coinfotech.com]...63.230.76.61[C=US, ST=CO, L=Colorado Springs, O=CIT, OU=Software Development, CN=Paul, E=plubbers_at_coinfotech.com]===192.168.3.3/32
Vasiliy Boulytchev
Colorado Information Technologies Inc.
attached mail follows:
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:58 CEST